Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Internet Explorer

Hackers linked to China used a zero-day vulnerability in Microsoft’s Internet Explorer browser to compromise corporate systems at more than 30 U.S. companies, including Google, Adobe and Juniper Networks.According to Microsoft, the vulnerability is still unpatched and can lead to remote code execution attacks if a target is lured to a booby-trapped Web site or views a malicious online advertisement.

Guest editorial by Jason Miller Microsoft has released six new security bulletins for December. They have also released two new security advisories as well as one bulletin that has been re-released. In addition to the Microsoft releases, even though Adobe’s quarterly security update is scheduled for next month, they are planning to release a security bulletin for Adobe Flash and Adobe Air today.

Microsoft
today shipped six bulletins with patches for a total of 12 documented
security vulnerabilities in a wide range of widely deployed software
products. Three of the six bulletins are rated “critical,” Microsoft’s
highest severity rating.
The most serious issues affect the company’s Internet Explorer browser, including the newest IE 8 on Windows 7.

Just two weeks after the release of exploit code
for a critical (remotely exploitable) security hole in its Internet
Explorer browser, Microsoft says a fix will be included in this month’s
batch of Patch Tuesday updates.

Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.The company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS’s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.In its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company’s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.”At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,” Microsoft said in its advisory.The next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for “Enable memory protection to help mitigate online attacks.”Microsoft also has published a FixIt tool that will autoatically enable DEP.Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.

Heads up to all Microsoft Windows users: If you’re running Windows
2000, Windows XP or Windows Server 2003, stop what you’re doing and immediately download and apply the MS09-065 update released earlier this week.

Security researchers say it’s only a matter of time — days not weeks
— before malicious hackers start exploiting one of the vulnerabilities
via booby-trapped Web pages or Office (Word or PowerPoint) documents.

Microsoft today released its largest ever batch of Patch Tuesday updates to fix a whopping 34 security holes in a wide range of widely deployed software products.
The latest patch batch covers critical vulnerabilities in software products that are bundled with Microsoft’s dominant Windows operating system (Internet Explorer and Windows Media Player) — and several known security problems (SMB v2 and FTP in IIS) for which functioning exploit code has already been publicly released.

According to Microsoft’s advance notice, the patches coming on October 13 includes fixes for two serious issues that are well-known and already documented — a code execution bug in SMB v2 and a gaping hole in FTP in IIS.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.